Insider threats are expensive. The average cost of an insider threat rose to $11.45 million according to the 2020 Cost Of Insider Threats Global Report [PDF] by the Ponemon Institute. Companies have to spend a fortune on lawsuits, fines for non-compliance with security requirements, and to mitigate the consequences of cybersecurity incidents. Not to mention the negative impact such incidents have on an organization’s reputation.
To efficiently handle cybersecurity incidents, you need to know what to expect and be able to mitigate security risks before they become real threats. This is where an insider threat risk assessment comes into play. Let’s explore in detail why your organization needs to implement this practice and how you can benefit from regular risk assessments.
Insider threat risk assessment: definition, purpose, and goals
What is an insider threat risk assessment?
An insider threat risk assessment is a practice that helps you evaluate your data’s current level of protection against malicious and inadvertent insiders, determine potential risks to your organization, and assess the likelihood and potential harm of each risk.
The NIST Guide for Conducting Risk Assessments identifies the purpose of a risk assessment as the following:
When conducting an insider threat risk assessment, you need to:
- Define all insider threats to your organization
- Identify how vulnerable your most valuable assets and sensitive data are to these risks
- Explore how your current cybersecurity measures can mitigate these risks
- Use the information you’ve gathered to analyze if your data is adequately protected
An insider threat risk assessment is an essential element of an efficient insider threat program. An insider threat risk assessment is usually performed as part of a general cybersecurity risk assessment, and in this article, we’ll use these terms interchangeably.
When do you need to assess the risk of insider threats?
There are three reasons to assess the risk of insider threats.
Organizations that work with sensitive data should assess the risk of insider threats in particular and all cybersecurity risks in general when they need to:
Audit your organization’s cybersecurity. Various companies apply risk assessments as an essential part of a risk management strategy when they need to evaluate their current state of cybersecurity.
- Common reasons for conducting a cybersecurity audit are:
- Running regular checks as part of a cybersecurity policy
- Planning for a business expansion or reorganization
- Seeing a rising amount of cybersecurity incidents in your industry
Apply for cybersecurity insurance. By performing an insider threat risk assessment, you can better prepare to apply for cybersecurity insurance. Companies that provide such insurance require some form of risk assessment before defining the terms of your coverage.
To analyze an organization’s risk level and offer the most relevant terms, insurers use various risk assessment methods such as:
- Underwriting questionnaires
- Client meetings
- Threat intelligence
- Open source intelligence
- Risk audits
- Third-party assurance reports
Comply with laws, regulations, and security standards. A general security risk assessment is a great way to ensure information security within an organization. This practice is highly recommended or even mandatory according to organizations like NIST and ISO and according to laws and standards such as HIPAA and PCI DSS.
1. Prepare for assessment — Define the purpose and scope of the assessment, assumptions and constraints associated with it, sources of information, risk model, and analytical approaches to be used.
2. Conduct the assessment — Identify relevant threat sources and events as well as vulnerabilities that could be exploited; determine the likelihood and potential impact of specific threat events.
3. Communicate and share risk assessment information — Communicate risk assessment results to decision-makers to support risk responses. Share risk-related information with responsible organizational personnel to support other risk management activities across the organization.
4. Maintain the risk assessment — Continuously monitor the defined risk factors and use the results of this monitoring to update the existing risk assessment strategy.
The NIST guide also highlights insiders, trusted insiders, and privileged insiders as significant threat sources to keep an eye on.
This standard covers a wide range of cybersecurity controls, including those that mitigate insider threats:
- Implementing strict access control
- Regularly reviewing access privileges
- Removing accounts and access rights of former employees
- Enforcing a strong password policy and authentication mechanisms
Health Insurance Portability and Accountability Act (HIPAA). HIPAA requires healthcare organizations to conduct regular risk assessments and provides guidance to help them check compliance.
The Guidance on Risk Analysis Requirements under the HIPAA Security Rule also highlights threats enabled or caused by insiders, such as:
- Network- and computer-based attacks
- Installation of malicious software
- Unauthorized access to electronic protected health information
- Inadvertent data deletion or inaccurate data entry
Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS Risk Assessment Guidelines suggest using risk profiling to present all risks to an asset together with threats, vulnerabilities, and their respective risk scores. As part of risk profiling, organizations should specify insider and outsider as well as accidental and deliberate threat properties.
Apart from being required by laws and standards, risk assessments can help you enhance your cybersecurity. Let’s explore the real benefits of this process.
3 major benefits of an insider threat risk assessment
What can you achieve with a risk assessment?
Applying the risk assessment method for insider threats is one of the key steps in any risk management strategy. Without knowing the potential danger, it’s impossible to determine relevant cybersecurity measures.
Here are three major benefits of an in-depth insider threat risk assessment:
Get a full picture of the state of your organization’s cybersecurity. A thoughtful risk assessment hints at possible flaws in your organization’s current workflow and cybersecurity gaps that may allow malicious insiders to compromise corporate systems. It can also evaluate if your organization is ready to stand up to potential insider threats.
Detect existing insider threats. A risk assessment helps you see if users are currently employing unsecure and risky practices that may lead to security incidents. You also might detect suspicious activity that indicates a compromised account or malicious insider activity.
Enhance your organization’s data and asset security. An insider threat risk assessment is the basis for building an efficient insider threat program. Once you know which threats are the most dangerous to your organization’s cybersecurity, you can determine the most relevant mechanisms and tools to secure these weak spots and develop a risk mitigation plan accordingly.
Now let’s move to exploring the crucial steps of an insider threat assessment.
Key steps of an insider threat risk assessment
Start your risk management strategy with a risk assessment.
There are different ways to assess cybersecurity risks depending on the organization’s type, size, line of business, and relevant cybersecurity requirements. Therefore, let’s concentrate on the most essential steps you should take when performing an in-depth risk assessment.
1. Identify all critical assets in your organization
Start your risk assessment by determining all valuable assets across your organization that could be compromised by insiders.
Focus your attention on:
- Access to servers and admin panels of cloud services
- Customers’ sensitive information (credit card data, addresses, phone numbers, health records, etc.)
- Employees’ sensitive data
- Crucial systems and services (corporate networks, admin panels, key applications used within an organization)
- Data about partners and subcontractors (documents, agreements, contact information)
- Trade secrets and other confidential information
2. Define possible insider threats
An insider threat is an activity done by legitimate users within your network that negatively affects your organization, such as:
- Disclosure of sensitive data
- Sharing access to corporate systems with unauthorized people
- Deleting, changing, or misusing data
- Uploading malware to a corporate system
To identify potential insider threats, make sure to explore various scenarios of compromising your corporate network by answering the following questions:
- Which employees have elevated access rights and what do they use these rights for?
- How often do employees access corporate systems and sensitive data and for what purposes?
- How do employees store and handle their passwords?
- How do employees share passwords (if they use shared accounts)?
- Does the system allow employees to log in from unusual locations or devices?
- Can employees copy data to unknown USB devices?
- Can employees use corporate devices to access shadow IT resources?
3. Prioritize risks
To prioritize risks, you need to assess those risks and determine which most threaten the profitability of your business and could result in large losses for your company. You can use a risk matrix to define the level of each risk.
To assess insider threat risks, analyze the following four factors:
- Importance of the assets at risk
- Criticality of the threat
- Vulnerability of the system to the particular threat
- Likelihood of the threat’s occurrence
Think about what current security measures protect your systems from a given scenario. What are the chances of an actual data breach or other incident happening in case a potential threat is realized? Define the most dangerous and most likely threats and secure yourself against them first.
4. Create a risk assessment report
By wrapping the results of your insider threat risk assessment into a comprehensive report, you simplify decision-making at further stages of your risk management strategy.
You can use this report to:
- Determine possible solutions to mitigate or prevent the potential danger of each risk outlined in the report
- Adjust your risk management strategy according to detected risks and threats
- Communicate risk assessment results to decision-makers
- Share risk-related information with employees (in the form of a report, guide, or briefing)
Although cybersecurity improvements are usually defined during the following stages of a risk management strategy, you can already complement your report with suggested cybersecurity practices. The most common are:
- Enhancing authorization and authentication mechanisms
- Performing regular data backups
- Deploying data loss prevention tools
- Implementing detection and response mechanisms to identify security incidents
- Updating cybersecurity policies and guidelines
- Employing user monitoring solutions
5. Make assessing insider risks a regular practice
Organizations tend to change with time: they adopt new tools, software, devices, and practices, expand their departments, etc. All these changes may create new flaws in your organization’s cybersecurity.
Conduct a risk assessment on a regular basis and each time you make a significant change to your workflow. In this way, you can minimize the risks of missing gaps in your cybersecurity. Consider creating a template or checklist for regular risk assessments to make this process as simple and efficient as possible.
Mitigate insider risks with Ekran System
Ekran System is an insider risk management platform that allows you to deter, detect, and disrupt security incidents caused by insiders.
When performing regular risk assessments, you can leverage user activity monitoring and user behavior analytics to check whether your employees and contractors apply unsecure practices that can result in security incidents.
Also, you can instantly react to abnormal activity with automatic notifications and manual or automatic blocking of suspicious sessions, users, or processes.
Ekran System’s extensive auditing and reporting functionality will provide you with valuable insights into user activity. You can set custom rules in Ekran System to receive reports on a convenient schedule and choose specific data for which you need updates.
Secure your valuable assets and data with relevant measures. Ekran System offers a wide range of features to help you improve your organization’s cybersecurity.
Explore our case study to see how Ekran System helped an international certification body effectively secure their internal system against insider threats.
As the basis for an insider threat program, an insider risk assessment allows organizations to collect key information on weak spots in their cybersecurity and evaluate the consequences of potential security incidents. Gathered information can then be used to determine relevant cybersecurity improvements to prevent, detect, and respond to insider threats.
The key takeaway is to perform an in-depth insider risk assessment, paying attention to various insider threat scenarios — and to make this a regular practice.
With Ekran System’s comprehensive insider risk management functionality, you can deter, detect, and disrupt any insider threats. Request a free 30-day trial of Ekran System to start preventing insider threats right now!